Forensic Fundamentals: Endpoint Investigations

This course covers the fundamentals of live analysis forensics and investigation of endpoints

Hands-on activities span the entire forensics process, beginning with a FireEye-generated alert, leading to discovery and analysis of the host for evidence of malware and other unwanted intrusion.

Analysis of computer systems will be performed using FireEye products and freely available tools.

Learning Objectives

After completing this course, learners should be able to:

  • Describe methods of live analysis
  • Demonstrate the ability to plan, execute and report on a digital forensic examination
  • Investigate a Redline triage package using a defined methodology
  • Validate and provide further context for FireEye alerts
  • Identify malicious activity hidden among common Windows events

Who Should Attend

Network security professionals and incident responders who must use alerts generated by FireEye products to conduct cyber forensics.

Prerequisites

Completion of the Alert Analysis course. Windows systems administration skills. Familiarity with basic command line interface (CLI) commands.

Duration

2 days

Instructor-Led Training Instructor-Led Training

Courses cannot be purchased or accessed from this site.

If you would like to register for this course, please contact your FireEye account manager.

Thank you.

Course Outline

Instructor-led sessions are typically a blend of lecture and hands-on lab activities.

Day 1
  1. Knowing Normal Across Your Environment
    • Common system processes and attributes
    • Identifying malicious processes
    • Audit Viewer and Redline
  2. FireEye Source Alerts and Integration
    • Identifying forensic artifacts in the OS Change detail
    • Mapping artifacts to actual events recorded by the agent
    • Pcap analysis
  3. Data Acquisitions
    • Various acquisition methods, such as HX, Redline, and PowerShell.
    • Locations of evidence as they map to the Mandiant Attack Lifecycle
Day 2
  1. Investigation Methodology
    • Defining hypothesis from an alert
    • Validating an alert
    • Pivoting and expanding the scope of investigation
    • Identifying network activity
    • Tracking processes
    • Identifying human-driven activity
    • Documenting findings
  2. Memory Analysis
    • Collating evidence
    • Memory Analysis
Optional Content
  1. Legal and Ethical Principles 
    • What is Forensics? 
    • Overview of the legal requirements and authority to proceed 
    • How to be ethical in your examination